Internet Forensics

Internet Forensics uses the combination of advanced computing techniques and human intuition to uncover clues about people and computers involved in Internet crime, most notably fraud and identity theft.

Craic has a particular interest in this aspect of computer security and undertakes research and education in the field.

Dynamic DNS and Location Tracking

Dynamic DNS allows a static hostname to be associated with residential
or mobile computers that are assigned dynamic IP address by their ISPs.

However, this convenience comes with a potential risk to privacy in
that one can easily monitor the IP address assigned to any given FQDN
using basic DNS lookup tools. It is possible to track changes in the
IP addresses used by a mobile user over time and, in many cases, infer
the approximate geographical location of that user.

While there are legitimate uses for such monitoring, it can also
represent a significant risk to the privacy of certain users.
This risk is largely unrecognized by users of Dynamic DNS services.
The issues are described in the
following Technical Report.

An Analysis of Abusive Usenet Postings

Abusive messages are a common problem on many Usenet groups. These can range from childish insults to outright threats of violence. They represent a nuisance comparable to spam and, like spam, there is not a lot that can be done about them as the original senders often disguise their identities.

But in some cases one can uncover information about the origin of a message from the IP address of the NNTP posting host. Reverse DNS and WHOIS lookups can identify a user's ISP and sometimes provide their approximate geographic location. If a particular individual is suspected of being the source of messages then one can correlate the IP addresses of abusive postings with other activities of that user such as email or visits to a web site. That can prove or disprove the linkage between the user and the abusive messages.

In 2007 Brian Mottershead, a systems administrator with the United States Chess Federation (USCF) performed this type of analysis on a series of abusive Usenet posts in which the sender impersonated other individuals. These messages were suspected as trying to discredit certain candidates in the run-up to an election to the USCF Executive Board.

In November 2007 Dr. Robert Jones was asked by a USCF member to review the data used by Mr. Mottershead and provide an independent assessment of
his report. Our report on the case is available here (PDF). The core technical conclusions were in
aggreement with those of Mr. Mottershead.